What you need to know

• The Attorney-General's Department (AGD) released its latest paper on the proposed updates to the Privacy Act last week.
• The data-dealing constituency is happy that the unqualified right to opt-out of targeting has been jettisoned, as has the more aggressive treatment of de-identified information.
• But there are plenty of fights yet to be had over targeting, data trading, and the very definition of personal information.
• Consumers still retain an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes... in principle.
• Media, and to a much greater extent politicians, have been gifted a leave pass. In fact, seven of the 10 proposal the government rejected outright relate to how political parties use your data, but that may just be a happy coincidence.
• Small business has lost its exemption – due to concerns over cyber security.
• But there is widespread agreement, sort of, over tightening up advertising to children. Peter Leonard says advertising to children will effectively become a thing of the past. Clay Gill, CEO of Kinesso Australia, agrees.
• Brands basking in the aura of GDPR-compliant immunity should take note, until definitions are settled there's a chance Australia's law might go further than the European Act in some areas, according to ADMA. 
• Auditability just got a lot more complicated, which is problematic since a lot of brands are already operating outside current privacy guidelines – and laws – unwittingly.
• Agencies say customers aren't waiting and are already future-proofing.

The Commonwealth Government has abandoned plans to give consumers an unqualified right to opt-out of targeted advertising. However, it agrees in principle that they should have an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes. 

Meanwhile, brands, publishers, and data brokers won't need to tie themselves into as many knots over de-identified data as the government has largely walked back the idea of treating this the same way as identifiable information.

But there is also an unexpected sting for the industry in the report released last Thursday which appears to extend the definition of personal information to include the notion that a person may be reasonably identified where they're able to be distinguished from all others, even if their identity is not known. (Think of this as the "I know everything about you but your name" provision.)

This provision has some industry insiders confused about whether the government is actually moving the cheese on the definition of personal information, or whether by attempting to provide further clarity, it's accidentally made things more opaque.

Small businesses with less than $3 million have lost their exemption. And there are still plenty of opportunities for arguments after the Attorney-General's Department (AGD) kicked the resolution of more than 60 proposals down the road by "agreeing in principle" but acknowledging the gaps that need to be filled in.

Some of those "agreed in principle proposals" such as those relating to targeting, trading, and consent are likely to prove the principle sources of disagreement in the months ahead as the government moves towards legislating next year.

The AGD's approach appears to confirm earlier predictions of a two-speed approach by lawmakers, as outlined by Peter Leonard, Professor of Practice, UNSW Business School and Principal, Data Synergies, in March:

"There is a good chance government will respond to the comments it gets ... and put up two lists: What are the things that everybody seems to sign off on; what are the things that seem very controversial? It may then take a two-phase legislative approach where the first round of changes happen pretty quickly – and the others further down the track. So there are a lot of things in play.”

The upside for consumers is that they will not be assaulted by a flood of consent pop-ups aka GDPR as the emphasis remains on businesses to solve the privacy problem, rather than for punters to consent away their rights.

But for brands that believe they are sitting pretty because they already tick all of the GDPR boxes, there is a warning from ADMA's head of regulatory affairs Sarla Fernando. She says in some areas the local legislation could go further than the European rules: "Don't get too comfortable, because this is not a mini-me. There are things that could look very different. You still need to get across your data practices. You still to get across things like data minimisation and all the things that you should do for best practice. Don't just assume 'Hey, we've already had to deal with GDPR. We're sorted.'"

Kids off limits

If there is one thing everyone agrees on, it's children.

Kind of. 

"It's clear the government is very focused on the protection of children and other vulnerable people, that the clear intention does vary significantly for information relating to children, in particular," per Data Synergies' Peter Leonard. "Marketing to and targeting children will likely become a thing of the past."

The AGD's report nodded to the 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey, which found that protecting their children's privacy is a major concern for 79 per cent of Australian parents (makes you wonder about the other 21 per cent, though these may be influencer parents), while the privacy of their children’s personal information was rated as being of high importance to 91 per cent of parents when deciding to provide their child with access to digital devices and service.

According to the AGD's privacy paper, "Children are particularly vulnerable to online harms. Children increasingly rely on online platforms, social media, mobile applications, and other internet-connected devices in their everyday lives. While these services provide many benefits to children and young people, there is concern that children are increasingly being ‘datafied’, with thousands of data points being collected about them, including information about their activities, location, gender, interests, hobbies, moods, mental health, and relationship status."

But even the privacy provisions for kids – which ought to be a lay-down misere for the government – are qualified with lot of "agreed in principle" responses.

The general industry sentiment about the provisions for children was encapsulated in remarks by Clay Gill, CEO of Kinesso Australia.

"Children advertising should be completely off the books," he told Mi3. "But the government acknowledges that there are moments where, especially during Covid, that form of information was immensely useful and quick. We still need that information and advertisers need that information. Now it's just a question of where the line is – and we don’t know yet."

On the wider issue of the full report, Gill said, "There is a long way to go, but the industry needs to consider upping their game on things like content and contextual advertising or targeting because they can see that we need a plan B and C, should the government become quite sensitive about  targeting.

“The tone of it was that we really have to consider this strongly because it could affect our industry massively, including a very fragile local publishing industry – because how on earth are they going to substantiate that content, which is free. And that's the problem."

“If there's one thing I'm reading through all this, they're trying to avoid consent fatigue, but I'm not seeing that abating – because every single time you go to a publisher's a site, they're going to have to consent to that."

Gill said IPG Mediabrands has invested heavily in anticipating privacy changes, but he sees a heavy burden for smaller businesses.

“The scary part for the Australian industry is small to medium-sized businesses and the level of investment that is going to be required of them to be transparent, and in line with the OAIP guidelines. They're going to have to really invest a lot in this space," per Gill.

ADMA's Sarla Fernando, Director of Regulatory and Advocacy, said the industry association was particularly pleased that the government has taken unconditional opt-outs of targeted advertising off the table.

"Being able to opt out of targeted communications would have been really bad for the digital marketing industry."

Fernando said that what the government originally proposed was, "from an operational point of view, really impossible."

But she indicated ADMA is worried over a lack of clarity around definitions for things like targeting, trading, and even what constitutes personal information. Fernando thinks government's timetable may yet prove too ambitious – though warned firms not to delay taking action on that basis.

"We won't really know [until we see] definitions. But I'd encourage people to really start getting across the data. Yes, the government has said that they are planning to do this next year. It is possible that there could still be a few iterations because there's a lot more consultation to be taking place."

"So start preparing your data now. Start understanding the data that you have, the transparency, the notices that you have. Start to make sure that you put what has been suggested, even if it's [only] agreed in principle, into practice."

She told Mi3 that industry should make clear with government what is possible, and what is not: "Right now we have the opportunity to say, 'Hang on a second, you say you agree in principle, so this part makes sense. But if you to go to this part, it's impossible to actually implement."

Like ADMA, IAB expressed relief that the government has indicated the need for more consultation via the more than 60 proposals that have been "agreed in principle."

"That's because they do actually need to assess the impact on industry before coming to a final decision," said Sarah Waladan, Director, Policy and Regulatory Affairs at IAB.

IAB's worries mirror many of those expressed by ADMA, with Waladan calling out targeting and the definition of personal information. "The definition of personal information is a big one, and that’s a big concern for us."

On targeting she said: "There are still some substantial restrictions that are being proposed on targeting and there are still some proposals we have issues with – the definition is still a problem. However, the government's response acknowledges that the definitions of targeting and trading still require substantial further consideration. We think that is a positive sign."

IAB is particularly concerned with the 'fair and reasonable' test which sits at the heart of the government's approach (and also enables it to avoid the kind of pop up consent spam approach that characterised the early days of GDPR.)

"They're defining targeting really broadly, it needs to be narrowed back. The main problem is that targeting needs to be both fair and reasonable but I think we need to have a more detailed conversation with the government about what is fair and reasonable."

For instance, she flagged issues such as measurement, ad effectiveness, and segmentation, in a situation where someone is not reasonably identifiable. 

"We think are essential basic necessities for business functions. And we really need to understand that they are going to be seen as fair and reasonable, " she said.

The problem, as lawyers have flagged, is that the definition of what is 'fair' can be arbitrary. Which may leave firms open to litigation from people challenging the definition of fairness, with the ADG widening avenues that enable individuals to seek legal recourse.

“We'll never please everyone that digital advertising practices, digital advertising is fair. If there is a legal requirement, coupled with planning class actions, chasing this industry argument that everything is unfair, that will be a catastrophe," Data Synergies' Peter Leonard, speaking alongside Waladan, has previously warned.

Leonard said the latest paper provides "some greater clarity in relation to the proposed definition of personal information", while the government has also resisted pressure to push the burden of consent back onto consumers.

"It rightly recognised the way to address excessive uses of personal information is not to burden consumers even further with the information they need to understand and apply to determine how businesses treat them," per Leonard.

The emphasis instead is on moving to what he calls organisational accountability.

"That is the responsibility of service providers to ensure that their collection and uses and disclosures of information are appropriate. Whether fair and reasonable is the appropriate formulation or not is a subject for further discussion," he said.

"But I think what is clear that with notice and consent, we're not going down the European path of increasing the burden on consumers."

Rules for thee, but not for me

Leonard criticised the failure to address media and political exemptions.

"I think they are remarkably conservative in the way they are proposing to address media exemptions, they could have done a lot more on that. I think their failure to address the political parties exception is a significant shortcoming – particularly as we see more and more disinformation and misinformation."

Apropos of nothing, seven out of the 10 proposals the government rejected relate to tightening how political parties use information.

'Reasonably identifiable' defined?

Salinger Privacy's Anna Johnston, a former deputy privacy commissioner for NSW, speaking on a podcast hosted by Washington DC-based Jules Polonetsky the day after the AGD's report was released, addressed the vexed question of the definition of personal information.

"The definition is not too dissimilar to the definition in GDPR. In the sense that it talks about personal information is within scope of the privacy law if it's information or opinion about an individual who is identified or reasonably identifiable."

But it's that phrase 'reasonably identifiable' that's created the drama in the past she suggested.

"What we hopefully will have with the government's commitment yesterday, is an understanding that the phrase reasonably identifiable can encompass people where they can be singled out – or in my word individuated – or disambiguated and recognised as a unique individual within a crowd, without necessarily needing to know their identity."

"What we've got now is a law that says personal information includes where someone is 'reasonably identifiable', that's what the statute says. A regulator says reasonably identifiable doesn't necessarily mean you need to know the identity or name of the person. It means you can distinguish them from others. What we've seen now is the government saying, well we agree with the OAIC position. And that this is the direction that the law reform should be going in."

Johnston has been arguing for this kind of change for many years because it closes a loophole that's so big you could drive a Google mapping truck through it.

"We see a lot of invasive behaviour, particularly online, where companies have either escaped regulation or at least are arguing ... that we can track what people are doing, we can link up their data, we can build these profiles because we don't actually know the person's name. We can track them across the internet, we know what they're doing, we can message them, we can contact them, we can try and influence them, we can try and sway elections by messaging them, we can try and get them addicted to gambling, we can try and sell them all sorts of things but we don't need to comply with the Privacy Act, because we don't actually know the person's name."

Auditability

Chris Brinkworth, managing partner of Civic Data stressed the need for auditability of data use, something he said is already creating risks under the current provisions of the act, and which will be amplified under the proposed changes.

"Anything that tracks data – pixels, tracking tags, forms, anything that people didn't previously consider as a direct identifier – now has to be understood from an audit perspective. And it's got to be covered to ensure whether what they do with that data is fair and reasonable."

According to Brinkworth, who is also co-chair of the IAB Australia data council, "If you don't understand across your entire business, and you're not starting to prep for it, you will get in a lot of trouble. Brands are already leaking what is considered personal information under the current Australian Privacy Principles."

For instance, he says some brands are sending data to Google Analytics even though Google explicitly says not to. "They're sending it anyway. Because they don't know they are doing it."

"Brands and publishers do it as well. Anyone who collects data on their website, quite often they're unknowingly sending things like date of birth or email address or other such information into Google Analytics – still, even after a recent update to GA4. It's going against Google's terms of conditions, but also Australian Privacy Principles."

It also adds additional complexity and cost, he suggests. "If you want to remove it from GA4, you've got to remove a whole bunch of other bits of data from GA4 at the same time."

Publisher positivity

While organisations such as IAB and ADMA have expressed concerns about key definitions in the paper, Dan Richardson, Yahoo's Director of Data, Asia Pacific, said he saw the overall update as a positive step forward, particularly with regard to targeting.

"My overriding sentiment is that it is positive that they do recognise there is a need for an open, ad-funded internet," he said, claiming Yahoo has a one click option for people to opt out from its ID graph.

"For us, it’s about making [consent] more clear or accessible to consumers and without placing on them a heavy burden of consent or lengthy privacy statements."

But Richardson believes the incoming changes presage a more complicated future for some service providers – especially those that can't really tell what has been consented and what hasn't. 

"Anyone who is reliant on data for planning or activation of media that is collected through a network model, or through vendors, which is licensed or sublicensed data ... I think if you're looking at how the definition of targeting and PII is going, it's really important that they can secure the appropriate consent," he said.

“I worry that there are many vendors out there that are working on a consortium or licencing/sub-licencing model of data where the end consumer doesn't really know who they are, they're not familiar with who that vendor is. So that conversation if it needs to happen, is not going to be easy," he said.

Tech impacts

Many organisations are not waiting for the legislation to land, and are already making changes, according to agencies and implementers Mi3 spoke with.

But Marc Williamson, Director of Data Labs, R/GA Australia said the onus is on firms to make sure their tech choices and partnerships are likely to be future proofed.

He told Mi3, "For businesses investing more heavily in marketing efforts, we’d strongly recommend paying close attention to contractual clauses in this space to make sure less experienced, international vendors comply with the changes laid out by the OAIC."

Williamson said amongst his state and federal government clients there is a push by internal architecture and security groups to challenge their digital teams to take greater ownership and control of data. "The hope is that’ll lead to more secure and relevant interactions for citizen services. And as a result of this scrutiny, there’s been a shift in moving all data-based solutions from a client-side to a server-side configuration – all aimed at enabling more ownership and control over data."

He said one of the biggest takeaways from the report is the updated definitions of consent.

"Businesses have to get clear and informed consent before handling personal information. It’s a big change that’s going to affect a lot of businesses that relied on older consents obtained before these updates. We expect a shakeup in this area, pushing businesses to invest in consent architecture to handle consent more effectively."